Professional Documents
Culture Documents
Computer Architectures and Safety Integrity Level Apportionment
Computer Architectures and Safety Integrity Level Apportionment
level apportionment
H. Jansen & H. Schäbe
TÜV InterTraffic GmbH, Köln, Germany
Abstract
Currently, technical systems are becoming more and more complex. A main
contribution comes from electronic control systems that allow for a larger
number of functions. The concept of Safety Integrity Levels (SILS) has been
developed within different systems of standards (IEC 61508, EN 50129 /
EN 50128 and DEF-STAN 00-56). These standards are applied in different
areas: control technology (IEC 61508), railway technology (EN 50129 and EN
50128) and defence technology (DEF-STAN 00-56). SILs are a tool for
assigning safety targets to systems. The concept of a safety SIL within different
standards is explained.
The problem of assigning SILS to functional units within a system is
discussed, especially how a SIL is realised by a certain safety architecture of a
system. Some standards give rules for system architecture and how to achieve a
higher SIL for a system designed from constituents that have a lower SIL.
Examples for system architectures and SIL assignment are given.
For all systems, a choice of SILs for hardware and software is discussed and
the problems arising are described.
Keywords: Safety Integrity Level (SIL), SIL apportionment, EN 50129, fault tree
analysis, computer architectures, railway technology, DEF-STAN-00-56, IEC
61508.
1 Introduction
Currently, technical systems become more and more complex. This is even true
for technical systems of small size since they incorporate different technologies.
A main contribution is coming from electronic control systems that allow for a
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
294 Computers in Railways IX
The safety integrity level has been introduced in several standards (IEC 61508,
DEF-STAN-0056, EN 50126, EN 50128, EN 50129). In all of these standards,
four safety integrity levels are defined. A safety integrity level is a discrete level
for defining requirements for safety integrity.
The Safety Integrity Level (SIL) consists of two main aspects:
a) A target failure rate which is a maximal rate of dangerous failures of the
systems that must not be exceeded.
In IEC 61508, besides the rates of dangerous failures, probabilities of failures
on demand are defined for systems that are operated in demand mode.
The target failure rate is intended to characterise the random failures of the
system.
b) A set of measures that is dedicated to cope with systematic failures.
These measures shall ensure that systematic failures can be neglected,
compared to random failures.
For software, only systematic failures are considered and no target failure rate
is given.
The safety integrity levels and their target failure rates are defined as follows.
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
Computers in Railways IX 295
Remarks:
The standards EN 50126 and EN 50128 do not give target failure rates. EN
50126 requires only the existence of Safety Integrity Levels. EN 50128 is
dedicated to software and software SILs without numeric rates.
DEF-STAN-00-56 gives the target rates implicitly by stating verbal
equivalents and presenting numbers for those in another place.
It has to be noted that the Safety Integrity Levels as defined in IEC 61508 and
EN50129 on the one hand side do not coincide with the Safety Integrity Levels
as defined in DEF-STAN 00-56 on the other hand side.
There exist different methods to find a Safety Integrity Level for a particular
technical system. This question will not be discussed in detail, see EN 50129 [4],
Schäbe [7, 8]. In this connection, it is mentioned that EN 50129 requires the SIL
to be defined at the level of a system function.
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
296 Computers in Railways IX
present that always shall have the SIL of the system. Besides this restriction, the
table presents the following rules:
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
Computers in Railways IX 297
present the same data, however, for DEF-STAN 00-56 [1]. The remaining three
columns, located in the second part of the table, give the sub-system SIL and the
target rates for the sub-system according to both standards.
System
SIL Target rate Computed rate Target rate (DEF- Computed rate
(IEC 61508) (IEC 61508) (DEF-STAN 00-56)
STAN 00-56)
4 10-8/h 10-10/h 10-8/h 10-8/h
3 10-7/h 10-8/h 10-6/h 10-4/h
2 10-6/h 10-6/h 10-4/h 1/h
Sub-system
SIL Target rate (IEC 61508) Target rate (DEF-STAN 00-56)
3 10-7/h 10-6/h
2 10-6/h 10-4/h
1 10-5/h 10-2/h
System
SIL Target rate Necessary Target rate (DEF- Necessary Inspection
inspection STAN 00-56) interval (DEF-STAN
(IEC 61508)
interval (IEC 00-56)
61508
4 10-8/h 1000000 10-8/h 1000
3 10-7/h 100000 10-6/h 100
2 10-6/h 10000 10-4/h 1
Sub-system
SIL Target rate (IEC 61508) Target rate (DEF-STAN 00-56)
3 10-7/h 10-6/h
2 10-6/h 10-4/h
1 10-5/h 10-2/h
From the table, it becomes clear that the SIL apportionment might lead to
inconsistencies. For the assumed inspection interval, within IEC 61508 [5] the
system reaches its target and is even better for SIL3 and SIL 4 (system). On the
contrary, for DEF-STAN 00-56 [1], a system constructed from sub-systems with
a lower SIL does not reach the target for SIL2 and SIL3 (system). This
consideration is purely numerical and does not even take into account additional
complications that arise when measures against systematic failures are
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
298 Computers in Railways IX
considered. The key to the problem lies within the inspection interval. Table 3
gives the inspection interval necessary to meet the numeric requirements.
The structure of table 3 is almost the same as that of table 2. The third and
fifth columns present the necessary inspection intervals to meet the target failure
rate for the SIL of the system.
It can be seen that there are large differences for various SILs. Also, there are
differences between the values obtained for IEC 61508 [5] and DEF-STAN 00-
56 [1].
In any case, the failure rates (or target rates) of the sub-systems have to be
used to derive the system’s failure rate with the help of a small fault tree to
verify that the system fulfils at least the target failure rate requirements. For this
computation, the inspection interval has to be taken into account.
Besides the target rates, design requirements have to be considered when
sub-systems of a lower SIL are combined with the intention to construct a system
with a higher SIL.
DEF-STAN 00-56 [1] requires in clauses 7.3.3 that “Design rules and
techniques appropriate to each safety integrity level shall be determined prior to
implementation...”. Other, specific information is not present on design rules.
This is a weakness when considering the SIL combination rule of DEF-STAN
00-56 [1].
Much more specific information is given in IEC 61508 [5] (part 2, annex A3,
annex B) and EN 50129 [4] (Annex E). Here, different design methods are
required for the different SILs. The most extensive set of methods is required for
SIL4. Surely, this entire set of methods cannot be transferred easily and for all
possible systems into a simple rule for combination of sub-systems of a lower
SIL to form a system with a higher SIL.
However, two important points shall be mentioned.
1) Clause B.3.1 of EN 50129 [4] requires the absence of single fault for SIL3 and
SIL4. Obviously, this will be fulfilled with a parallel structure of two sub-
systems.
2) It can be seen from the tables for design requirements in IEC 61508 [5],
EN50129 [4] and EN 50128 [3] that the requirements for SIL1 and SIL2 are
similar with those for SIL2 being stricter. The same holds for SIL3 and SIL4.
The substantial difference occurs between SIL2 and SIL3 and between SIL1 and
not safety relevant systems.
Consequently, each case of SIL apportionment has to be studied specifically
regarding design rules. The formal application of the SIL combination rule from
DEF-STAN 00-56 [1] cannot be recommended in the area of application of EN
50126 [2] and IEC 61508 [5]. In addition, target failure rates have to be
considered, together with the inspection intervals.
4 Examples
In this section, several examples of simple systems will be considered. It is
assumed for all examples that the inspection intervals are chosen adequately. For
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
Computers in Railways IX 299
the systems described below, it is assumed that IEC 61508 [5] or EN 50129 [4]
is applied.
Two sub-systems are connected in parallel. Assume that each sub-system checks
the other sub-system and is able to bring the entire system into a safe state so that
a combinator is not necessary.
Sub-system 1
Sub-system 2
In case the sub-systems are operated by software, the picture given above would
change. Usually, the same software is used in both sub-systems. This is shown
by the following picture.
Sub-system 1
Software
Sub-system 2
If the entire system shall have SIL4, the software shall also be SIL4. This is in
accordance with the requirements of the standards (e.g. EN50128 [3]), requiring
that the software SIL must be at least as qualified as the system SIL. Moreover,
the software is not redundant in the system. Analogously, a SIL2 system can be
constructed from two parallel SIL1 systems with SIL2 software.
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
300 Computers in Railways IX
If the system is required to have SIL3, the software must also have SIL3. If
the hardware is SIL2, additional considerations have to be made as for the
system described in 4.1.
4.3 System with diverse software
If there is different software in both sub-systems, the block diagram looks as
follows.
Sub-system 1 Software 1
(Hardware)
Sub-system 2 Software 2
(Hardware)
Software 1
Hardware
Software 2
If such a system is required to have a SIL4, the hardware must have a SIL4
and both software versions must be at least according to SIL3. In addition, it
must be proven, that each failure of the hardware is detected by the software and
that there are means to bring the system into a safe state. The same can be done if
the system shall have SIL2. Then the hardware has to have SIL2 and two
independent software versions with a SIL1 each. For a SIL3 system, however, a
detailed study is necessary if the hardware is SIL3 and the software versions are
SIL2.
It needs to be noted that the question of independence of two software
versions running in the same hardware is not trivial. This problem will not be
discussed here.
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
Computers in Railways IX 301
Hardware 1 Software 1
Hardware bypass
Obviously, if the “hardware bypass” has the same SIL as required for the
system, hardware 1 and software 1 do not need to have any SIL.
Also, the same logic as in 4.1 can be applied, i.e. constructing a SIL 4 system
of SIL3 sub-systems (Hardware 1 and software 1 on the one side and hardware
bypass on the other side). In any case, the “software 1” must have the same SIL
as the “hardware 1”.
Another question is still left open: Are other combinations possible? A good
example would be a SIL1 system built from SIL0 systems. Usually, commercial-
off-the-shelf systems do not have a SIL. The examples described above are not
complete. There are still other possibilities to build safety relevant systems.
However, it is complicated to give a general rule. In each case, the particular
application has to be studied and a safety case for the system has to be
elaborated. A good indication whether the chosen architecture would meet a SIL
requirement is when the target failure rate of the system SIL is not exceeded by
the rate of the system, computed from the rates of its sub-systems.
5 Conclusions
A general rule for SIL apportionment as given in DEF-STAN 00-56 [1] cannot
be provided. In any case, target failure rates and /or inspection intervals have to
be taken into account. If this is not obeyed, SIL apportionment becomes
inconsistent. Several variants for architectures of simple systems have been
considered.
General rules can only be given for sub-systems connected in parallel and for
some SILs. Other system architectures, and these are most of them, have to be
studied in detail.
A good indication whether the chosen architecture would meet a SIL
requirement is when the target failure rate of the system SIL is not exceeded by
the rate of the system, computed from the rates of its sub-systems.
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
302 Computers in Railways IX
References
[1] DEF STAN 00-56, Safety Management Requirements for Defence
Systems, parts 1 and 2, Dec. 1996.
[2] EN 50126, Railway Applications The Specification and Demonstration of
Dependability, Reliability, Availability, Maintainability and Safety
(RAMS) Issue: March 2000.
[3] EN 50128, Railway applications – Communications, signalling and
processing systems – Software for railway control and protection systems
Issue: March 2001.
[4] EN 50129, Railway applications – Communication, signalling and
processing systems – Safety related electronic systems for signalling
Issue: February 2003.
[5] IEC 61508, parts 1-6, Functional safety of electrical/electronic/
programmable electronic safety-related systems
[6] Joint Airworthiness Authorities, Joint Airworthiness Requirements JAR-
25 Large Aeroplanes.
[7] Schäbe, H 2001a, Different Approaches for Determination of Tolerable
Hazard Rates, ESREL 2001, Torino, Conference Proceedings, vol. 1, p.
435-442.
[8] Schäbe, H, 2001b, Different Principles Used for Determination of
Tolerable Hazard Rates, 9 p., Materials of the World Congress on Railway
Research, Cologne, 25-29. 11.2001, 12-03.
[9] User Viewpoint of 00-56, http://www-scm.tees.ac.uk
/hazop/standards/56/viewp/riskest5.htm.
[10] Yellow Book, http://www.yellow_book_rail.org.uk/
site/the_yellow_book/volume_2/chapter_09.pdf.
[11] Cook, R., 2002, System Architectural Implications Following SIL
Assignment – A Railway Signalling Example, IEE Seminar “SILs – Does
Reality Meet Theory”, 9 April 2002, http://www.iee.org/ on-
comms/pn/functionalsafety/libtary.cfm.
Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9